Why security is about not losing and never about winning?

I think there are two main approaches to nearly anything you do in life. An approach with the goal of not losing or the goal of winning. Although these may sound quite similar they are worlds apart. You may think that focusing on winning naturally means you do not lose as it is a byproduct of winning. However, if you are focused on not losing you can achieve your goal but never actual win. The simplest way to understand this is a draw but we are talking about something more profound here.

Nobody relishes being wrong and I have yet to meet a person that enjoys being rejected. These are two of the main drivers in not losing. However, if you are focused on winning you will lose some battles, you will need to be rejected on some occasions before you finally get it right, agreed? So fear is the common denominator in a “not losing approach / strategy”, it is fear that drives that decision.

Fear and freedom

Which brings us to security. For better or for worse, be it right or be it wrong, security vendor’s pigeon hole customers into a don’t lose mentality, seldom into a win frame of mind. The focus has been very much on FUD (fear doubt and uncertainty), through the years and continue to be so in the great majority of cases.

But if you actually look into the phycology of fear and doubt we see that we make very poor decisions when we are under stress, fearful or in doubt. The reality also is that after a while of listening to stuff that scares us or if we feel someone is trying to scare us we will eventually tune out. This can in turn give the person who is trying to communicate the message the sense that the consumer just doesn’t get it, so ironically, they up the fear ante to get the message across better than before.

There are generally two types of decisions, ones based on fear and the other based on growth (winning). Look at any important decisions you have made recently and think which ones were based on fear and which were based on growth? Most likely the ones that sit well were the ones that were based on growth. The decisions based on fear generally sit poorly as we don’t feel free to take any other option, we feel pushed into a corner and we resent it.

It may be logical but could we change it?

With this in mind it would seem counterproductive that you have a fear focused sales approach but welcome to the world of security. Now we can all quite quickly chime in and say, “its security, you should be scared”, “you need to protect yourself”, so the logic should be fear. I get it, it’s “logical” and as security is always one step behind the attack it makes sense but does that mean there is no other way to focus our approach? Could security not be about winning – growth?

Last year I meet a security professional from a prominent Silicone Valley unicorn and she was adamant about changing this focus. She was downright peeved with the entire security community for pumping fear into the consumer and not giving them any sense of freedom of decision when looking to secure themselves. She was a breath of fresh air and has made me think deeply on the subject ever since.

Unfortunately, in tech, and I guess this extends to all mature industries, there is a mentality that if your competitor is doing it they must have a damn good reason for doing so, ipso facto; we should be doing the same. This might sound, at best lame, at worse incompetent but it is a daily occurrence. VCs and executives scan the latest press releases to see what their competitors are touting and then run back to the team and ask the inevitable questions: “Are we doing that and if not, why not?”

Time for a change?

I have been in the cyber industry some 18 years now and also have used the fear card time and time again but I am starting to think that it is time to change. I am not sure exactly how that change should be implemented but we need to move away from FUD, give customers the sense of freedom, decisions that are based on winning / growing.

We have never had so much data available, maybe that should be the catalyst for change. Not only on malware and attacks but on other metrics such as the positive outcomes, impacts of having good security in place. The impact on reputation, customer trust… all of this would require a lot of new thinking but whoever is up for the challenge will find themselves in a blue ocean compared to the blood red space that is cyber today.